Configuring a Transparent Bridge in Ubuntu

Configuring a Transparent Bridge in Ubuntu

I have several Internet IP's provided by my ISP, and the router they provide does not support connecting it to a switch to plug in multiple devices. In addition, I have a couple of different ways I want to handle the traffic including my primary NAT firewall, a separate firewall VPN appliance for a certain customer endpoint and a separate web server that I don't want to have direct access to my regular network in case it gets attacked.

Placing a transparent bridge between my ISP and my three devices also gives me the ability to intercept traffic at the far edge of my network and handle any network attacks we might be subject to at that point to improve security. For instance, say I found an easy DOS attack that could be used against my firewall VPN appliance, I'm able to mitigate that weakness in the bridge between that device and my ISP.

Setting it up in Ubuntu is actually pretty easy. In this example let's say I have a small 1U server with four network ports on it that I'm going to use as the bridge. We'll call them OUTSIDE, INSIDE, VPN and EXTWEB. I give one of my Internet accessible IP's to the bridge and connect it to my ISP's network hardware directly. It will then route traffic across it's other three ports based on the destination, giving me a chance to intercept or deny any traffic I see before it hits anything else on the network.

Configure the network interfaces

I start by configuring the IP addresses on the network cards in "/etc/network/interfaces":

autho lo
iface lo inet loopback

auto eth0 eth1 eth2 eth3
# Pretend our internet address is 10.0.0.15 for this box:
# eth0 connects to the ISP on a full duplex 100 Megabit line
iface eth0 inet static
address 10.0.0.15
netmask 255.255.255.0
broadcast 10.0.0.255
up ethtool -s eth0 speed 100 duplex full autoneg off

# Crossover to my primary firewall / NAT router
iface eth1 inet static
address 10.0.0.15
netmask 255.255.255.0
broadcast 10.0.0.255
up ethtool -s eth0 speed 1000 duplex full autoneg off

# For the VPN link
iface eth2 inet static
address 10.0.0.15
netmask 255.255.255.0
broadcast 10.0.0.255

# For the external web server
iface eth3 inet static
address 10.0.0.15
netmask 255.255.255.0
broadcast 10.0.0.255

Notice that all four adapters get the same IP address and subnet. We'll set up the routing in a bit so things end up on the correct ports.

Configure the firewall and routing

Next we want to enable proxy_arp and set up the routing and a basic firewall. There are many ways to go about this and I'll leave that to your imagination but one simple way is just to add it to "/etc/rc.local" so that it happens at every boot.

IPTABLES="/sbin/iptables"
OUTSIDE="eth0"
INSIDE="eth1" # Gets all traffic not peeled off for VPN or WEB
VPN="eth2"
EXTWEB="eth3"

IP_SUB="10.0.0.0/24"
IP_GW="10.0.0.1" # provided by my ISP
IP_EXTWEB="10.0.0.16"
IP_VPN="10.0.0.19"

# Set up proxy_arp:
echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth3/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Remove the regular routing table
ip route del $IP_SUB dev eth0
ip route del $IP_SUB dev eth1
ip route del $IP_SUB dev eth2
ip route del $IP_SUB dev eth3

# Specify default route
ip route add $IP_GW dev $OUTSIDE
ip route add $IP_VPN dev $VPN
ip route add $IP_EXTWEB dev $EXTWEB
# Send everything else to the main VPN firewall:
ip route add $IP_SUB dev $INSIDE

# turn on forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Configure the firewall:
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
# This is simple - forward all packets to their destinations.  
# You can also insert firewall rules in forward to only allow what you need.
$IPTABLES -P FORWARD ACCEPT

$IPTABLES -A INPUT -p ICMP -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $IP_SUB --dport 22 -j ACCEPT # Allow SSH from our own subnet
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

exit 0

The proxy_arp ensures that my ISP only sees a single MAC address on the network - which they require - yet lets me route multiple devices to the Internet.

With this configuration I'm able to insert a basic firewall in front of my various servers and configure a physically separate DMZ for an Internet facing server. I can also mitigate attacks against the firewall / VPN appliance that is susceptible to a DOS attack. You can also integrate this with a more complicated firewall or even SNORT for network monitoring and reports, bandwidth monitoring systems or whatever else you can imagine. The goal though is to keep it to a minimum so you don't affect throughput performance.

Extra credit: add more security

You can also run blacklisting of IP addresses or ranges here. I'm fond of only allowing access to my network from countries I do business with, so if your IP doesn't fall within one of those couple of countries the traffic would get blocked at the bridge using ipset and never even reach the perimeter firewall.

If you couple a bit more iptables logic and some scripting you could even have other log events from inside the private network trigger IP based banning. Those bans could propagate all the way out to the bridge to block those IP's from attacking the entire subnet. Simply make that ban information available to this server and use it to write a few forwarding rules to block the source traffic. You can also add some TCP rate limiting rules into the firewall that would protect all devices on the other side of it.

Lock it down

Don't forget to remove any services you don't need on this device. For instance, make certain that MySQL, Apache, and even PHP are not installed on the box. You want it to be small. You want it to be secure. You'll notice it only allows SSH connections from my own side of the network so that I can manage it. No other services are available. If you run "netstat -nap" there should be nothing listening that you don't actually need.

Posted by Tony on Apr 02, 2015 | Network Security, Servers